"Michael B Allen" writes:

> If you read the whole thread you'd know I'm only talking about the
> *IntrAnet* scenario. With SPNEGO you do not type in a passwords at all
> whereas with WebAuth you might need to.


You're making a bogus comparison. If you don't have to type in passwords
with SPNEGO Negotiate-Auth, you don't have to type in passwords with
WebAuth either; it can use SPNEGO Negotiate-Auth for initial
authentication. In the Negotiate-Auth case, the password handling is
exactly the same, which one would expect given that it's using exactly the
same protocol and mechanism. (Cosign I think requires the ticket cache on
the central login server, so does introduce the twist of delegation.)

The difference does not lie in SPNEGO handling; it lies in the
architectural complexity, in what the fallback looks like when
Negotiate-Auth doesn't work, and in the delegation and authentication
persistance model.

--
Russ Allbery (rra@stanford.edu)